Employees on the Cyber Frontline


In the first quarter of 2022, employees found themselves more than ever at the front line of cyber defense. In part, this was down to a 54% increase in phishing attacks being responsible for initial attacker access, beating out vulnerability exploitation and third-party vulnerabilities among others. It was also due to an increase in email compromise being used for extortion.

Results from Kroll’s Threat Landscape Report for Q1 2022, revealed:

  • In Q1 2022, Kroll observed a 54% increase in phishing attacks being used for initial access, in comparison w/ Q4 2021;
  • Email compromise and ransomware were the two most common threat incident types;
  • Vulnerabilities such as ProxyShell and Log4J are being leveraged by multiple ransomware groups for initial access into systems, through approaches such as business email compromise (BEC) and cryptominers.

In one real-world case, a phishing email was sent to an IT department, clicked by an end-user, who then entered their log-in credentials. With the threat actor now having access to global admin credentials, they were able to gain access to the system, take over multiple email accounts belonging to IT staff and C-level employees and download sensitive data. A ransom note was left, demanding payment to end the attack and employees were targeted via text message, email and even social media to pressure victims into meeting their demands. Notably, no ransomware or encryption was used in the attack.

Alex Nixon, Senior Vice President, Cyber Risk, Kroll said, “As Australia joins forces with governments around the world to warn of cyber threats to critical infrastructure, we should remember how many of these large scale attacks start on a much smaller scale. Often beginning as phishing attacks or email compromise, attackers will elevate their privileges once an initial foothold is gained inside an organization.”

“This global threat report demonstrates what we are seeing here in Australia is not unique, but demonstrative of worldwide cybercrime trends. The Office of the Australian Information Commissioner’s latest Notifiable Data Breaches Report cited that phishing attacks resulting in compromised credentials were responsible for 32% of data breaches in Australia in the second half of 2021. This tallies with our Threat Landscape report, showing an increase in the number of phishing attacks as an initial access method, and reminds us that security must be built into the fabric of an organisation – it truly is everyone’s business.”

Laurie Iacono, Associate Managing Director for Cyber Risk at Kroll said, “Employees are undoubtedly an important line of defense for any company. Security training programs need to enhance cyber awareness among employees and firms should encourage a culture where raising concerns and reporting suspicious issues is a positive thing. Our latest Kroll Threat Landscape Report underlines this more than ever, as in the last quarter employees faced not only phishing attacks but email compromises which lead to extortion or the introduction of malware.”

“Of further note in the Kroll Threat Landscape report was the continued use of relatively recently exposed vulnerabilities. While 2021 will be remembered as the year of the vulnerability, 2022, particularly the first quarter, will go down as the year that threat actor groups such as ransomware gangs harnessed those vulnerabilities to launch more destructive attacks. For instance, while most activity around Log4j exploitation in Q4 2021 revolved around cryptominers, threat actors from multiple ransomware gangs leveraged the vulnerability to set the stage for network encryption in Q1 2022.”

You can read the full report here.